[dns-operations] DNSViz 0.6.7 (FreeBSD 11.1-RELEASE-p10) reports all but first NSEC3 RRSIG as "BOGUS"

Casey Deccio casey at deccio.net
Mon Aug 6 16:32:14 UTC 2018

> On Aug 6, 2018, at 10:10 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> On Aug 6, 2018, at 11:16 AM, Casey Deccio <casey at deccio.net> wrote:
>>> I am trying to use the DNSViz CLI on my own machine, rather than
>>> farm out all processing to the website.  But I am running into
>>> unexpected wrinkles.  TLSA lookups that elicit multiple NSEC3
>>> records as proof of non-existence seem to consistently report
>>> "BOGUS" RRSIGs for all but the first NSEC3 record.
>> The problem is actually caused by a bug in graphviz.  I first noticed it in 2016:
>> https://groups.google.com/forum/#!topic/pygraphviz-discuss/rkoqKhN-R9o
>> Then there was an issue filed in 2017:
>> https://github.com/ellson/MOTHBALLED-graphviz/issues/1252
>> Apparently it had been fixed in the development version, but had not been backported to 2.39/2.40.  I haven't done enough poking around to find out which graphviz patch(es) need to be backported and log an official issue, but it could be done here:
>> https://gitlab.com/graphviz/graphviz/issues
> So "dnsviz print" and "dnsviz grok" use graphviz, even though they don't
> do any graphics?

While DNSViz uses graphviz to create the visual graph that you see on the Web site, it also uses the graphviz data structures to derive trust from trust anchor to RRset--and everything in between.  However, "dnsviz grok" does not use graphviz if you don't use the "-t" option.  It will still show errors and warnings, the same way the Web page would.  But it won't provide the "status" of an RRset because it doesn't have the structure to trace for it.

> And are affected by this bug?
> What version of graphviz
> are you using for the website?



More information about the dns-operations mailing list